Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Senate Gives Nod To Controversial Cross-Border Data Access Bill

The senate on Thursday gave the thumbs up to a bill that is the subject of both support by tech companies and critique by privacy groups.

The United States Senate on Thursday approved a controversial cross-border data access act, dubbed the CLOUD Act, that was part of the overall omnibus government spending bill.

Buried on page 2,201 of the government spending bill is the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), a provision that sets rules for how the government should handle accessing personal data that is stored by tech platforms abroad. For the US specifically, the bill would permit law enforcement to access citizens’ information that is stored on systems in a different country, given that they have a US court-approved subpoena.

“In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws,” said senator Orrin Hatch (R-UT), one of the founders of the bill, in a statement. “We need a commonsense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes.”

As it stands in the bill, the government needs to undergo a series of steps with the country in which data is stored in order to access that data – even if it data of a citizen in their own country.

Law enforcement agencies currently use the mutual legal assistance treaty (MLAT) process to request data stored outside their borders, meaning they need to abide by the data privacy laws both of their country and of the country where the requested data is stored.

“Communications-service providers face potential conflicting legal obligations when a foreign government orders production of electronic data that United States law may prohibit providers from disclosing,” according to the act.

One such famous instance is Microsoft’s continuous struggle with US law enforcement over access to data stored in a data center in Ireland.

In 2013, US authorities tried to access customer emails from Microsoft from a data center housed in Dublin, Ireland as part of a U.S. trafficking investigation. While the Justice Department argued that a warrant issued in the US is enough, Microsoft countered that US law enforcement needs to first go through Irish authorities in order to obtain data stored in an Irish country.

Several major tech companies support the act, and in a Feb. 6 letter, several companies – including Microsoft, Google, Apple, Facebook and Oath – said that “if enacted, the CLOUD Act would be notable progress to protect consumers’ rights and would reduce conflicts of law.”

Meanwhile, Microsoft chief legal officer Brad Smith tweeted his support for the bill, calling it crucial “for building trust in the technology we all rely on every day.”

Today is an important day for privacy rights around the world, for international relations, and for building trust in the technology we all rely on every day. pic.twitter.com/9afiFXmzGn

“The bill would strip power away from Congress and the judicial branch, giving Sessions and [Michael] Pompeo (and future executive branch officials) virtually unchecked authority to negotiate data exchange agreements with foreign nations, regardless of whether they respect human rights or not. That’s a major shift from current law, and one that Congress should reject,” he said.

David Ruiz, with Electronic Frontier Foundation, said that the CLOUD Act has “enormous implications for data privacy protections abroad.”

“Plainly, this bill—which is now law—will erode [data privacy] protections,” he told Threatpost. “In the [Microsoft example], where U.S. law enforcement will issue search warrants to U.S. companies for data that is stored outside the United States, we already have a legal process for that. It’s called the MLAT process. The CLOUD Act bypasses the MLAT process, and it allows U.S. law to be applied to information stored in non-U.S. countries, forgoing the data protection laws of those countries.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.